In my previous blog post, I discussed the unfortunate outlook surrounding ransomware threats on today’s financial institutions. In this post, we’re turning the tables and discussing how organizations can fight back—and win.
A Quick Overview
For starters, it’s vital that security teams have processes in place to find indicators of compromise (IoCs) in the enterprise ecosystem before an attack is launched. When an event does occur—and it inevitably will—recovery is the #1 mission-critical task at hand.
Fast is the name of the game: Fast backups, lots of backups, and especially fast restore capabilities (plus, something to restore from) are critical. Even the traditional approach of storing backups in multiple locations is compromised if those backups take days, weeks, or even months to restore. Ransomware threat actors wait for no one.
Forensics also plays an important part as attackers are known to attach additional undetectable ransomware. It’s as if the police responded to a home robbery but didn’t check the entire house—the thief may still be lurking inside. Data must be cleansed before being released into the ecosystem, and that takes time.
If You Can’t Beat Them, Join Them (Sort Of)
As detailed in our white paper, Winning the Ransomware War in Financial Services, ransomware attacks follow a typical life cycle pattern (before, during, and after) regardless of the attack type. By mimicking (and matching) how such attacks evolve, security teams can undertake specific activities geared towards mitigating every phase of an event’s life cycle, enabling institutions to gain the upper hand by being proactive.
Discover how Pure Storage can protect your financial institution, today and tomorrow.
Before an Attack
Before any ransomware defense strategy can be put in place, management/board-level buy-in is required. Once that’s accomplished, consistent logging across the organization’s entire environment is necessary, as well as implementing a comprehensive analytics platform to help identify threat actor signs. Threat “hunters,” consisting of both human personnel and automated apps, should always be actively looking for breaches (potential or real) in the ecosystem, and cleaning those compromised areas in a timely manner.
Augmenting these tasks must be all-inclusive security awareness training—with a focus on ransomware—that includes all credentialed stakeholders (employees, contractors, partners, etc.). Such training should also encompass communication procedures and channels to be employed if systems suddenly go offline or are compromised due to an attack.
During an Attack
Ransomware attacks typically occur in off-hours, such as the middle of a weekend night when offices are unattended and IT personnel are asleep. This means by the time an attack has been identified, the damage is done. It’s mission critical to contain the fallout and start communication ASAP. Identifying the type of attack and the breadth of the breach, all while mobilizing incident response teams, must be the focus. Concurrently, pre-defined lockdown procedures (on which all relevant stakeholders have been trained) must also be activated. Teams need to uncover how much data is compromised, what systems are still working, and any and all other relevant information.
After an Attack
For financial institutions, every second of downtime costs money and this ticking clock also poses significant reputational risk to the organization. That’s why the next challenge revolves around recovery and restoration. This consists of prioritizing which systems are most vital based on which ones have been compromised and their “value” for immediate operations. It’s imperative recovery efforts begin offline, in an isolated environment, in case additional undetected ransomware is attached.
Personnel can then methodically restore the systems into additional isolated recovery environments to ensure they’re fully disinfected and functional before being reintroduced into production. Finally, team members must communicate consistently and continually to relevant stakeholders to keep them up to date on the recovery efforts.
Don’t Forget the Technology
Of course, even the best ransomware strategies are essentially useless without the right technology to back them up. That’s where Pure Storage can be a great ally for your enterprise. During an attack, immutable Pure Storage® SafeMode™ snapshots are a great defense.
Recovery snapshots can’t be deleted, modified, or encrypted, even with admin credentials. It offers the peace of mind every financial institution needs. Rapid Restore, powered by Pure Storage FlashBlade®, dramatically increases the speed of data restoration without the need to change backup software. Lastly, Pure Evergreen Storage™ and Pure as-a-Service™ enable financial institutions of all sizes to always have the latest hardware and software at their disposal, without any risky downtime.
Get the Ransomware Survival Kit for Financial Services, including the just-released white paper Making the Most of RegTech for Financial Services.